The CDC's voluntary text messaging system that COVID-19 vaccine recipients can use to report side effects contains security vulnerabilities, the Washington Post reports.
Oracle and HHS developed the system, dubbed V-safe, as part of the Trump administration's Operation Warp Speed, an accelerator for COVID-19 vaccines and therapeutics. The federal government awarded a $2.3 million contract to IT company CRSA to process reports submitted through V-safe.
Once patients receive the COVID-19 vaccine, they will get a fact sheet with a small black and white label, known as a QR code. Scanning the code with a smartphone enters them into the system, which sends daily text messages for one week and then weekly for one and a half months directing users to web-based surveys to record their symptoms and answer health questions.
Anyone who gets access to the QR code, whether from a fact sheet accidentally left behind or from a photo posted on social media, could access V-safe, according to the report. Federal health officials who spoke on the condition of anonymity with the Post said the vulnerability would allow people to register and file false reports about their experience with immunization.
V-safe is in addition to existing safety-monitoring programs, and reports sent to the voluntary system are followed up by trained personnel. CDC vaccine experts may also contact the person's healthcare provider to request more information on the person's health, the agency told the Post.
The smartphone tool is undergoing "robust cybersecurity" vetting with agencies, including the U.S. Justice Department, Homeland Security Department and Defense Digital Services, an HHS spokesperson said.
An Oracle spokesperson did not respond to the Post's comment request.